From: Todd C. Miller Date: Sat, 9 Feb 2008 14:30:07 +0000 (+0000) Subject: Add support for SELinux RBAC. Sudoers entries may specify a role and type. X-Git-Tag: SUDO_1_7_0~199 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4c992e19010b06352c5b0daef79ed771013765f7;p=sudo Add support for SELinux RBAC. Sudoers entries may specify a role and type. There are also role and type defaults that may be used. To make sure a transition occurs, when using RBAC commands are executed via the new sesh binary. Based on initial changes from Dan Walsh. --- diff --git a/sudo.c b/sudo.c index 7bd154cb5..714a5b6b6 100644 --- a/sudo.c +++ b/sudo.c @@ -91,6 +91,9 @@ # include # include #endif +#ifdef HAVE_SELINUX +# include +#endif #include "sudo.h" #include "sudo_usage.h" @@ -490,8 +493,14 @@ main(argc, argv, envp) #ifndef PROFILING if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) exit(0); - else + else { +#ifdef HAVE_SELINUX + if (is_selinux_enabled() > 0 && user_role != NULL) + selinux_exec(user_role, user_type, NewArgv, + ISSET(sudo_mode, MODE_LOGIN_SHELL)); +#endif execv(safe_cmnd, NewArgv); + } #else exit(0); #endif /* PROFILING */ @@ -954,6 +963,28 @@ parse_args(argc, argv) case 'E': SET(rval, MODE_PRESERVE_ENV); break; +#ifdef HAVE_SELINUX + case 'r': + /* Must have an associated SELinux role. */ + if (NewArgv[1] == NULL) + usage(1); + + user_role = NewArgv[1]; + + NewArgc--; + NewArgv++; + break; + case 't': + /* Must have an associated SELinux type. */ + if (NewArgv[1] == NULL) + usage(1); + + user_type = NewArgv[1]; + + NewArgc--; + NewArgv++; + break; +#endif case '-': NewArgc--; NewArgv++; diff --git a/sudo.cat b/sudo.cat index 1df7a46c5..9672fa459 100644 --- a/sudo.cat +++ b/sudo.cat @@ -13,7 +13,8 @@ SSYYNNOOPPSSIISS ssuuddoo --ll [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] - [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}] + [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] + [{--ii | --ss] [<_c_o_m_m_a_n_d}] ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... @@ -57,11 +58,10 @@ DDEESSCCRRIIPPTTIIOONN ssuuddoo can log both successful and unsuccessful attempts (as well as errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log - via _s_y_s_l_o_g(3) but this is changeable at configure time or via the -1.7 January 21, 2008 1 +1.7 February 9, 2008 1 @@ -70,7 +70,8 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - _s_u_d_o_e_r_s file. + via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_- + _e_r_s file. OOPPTTIIOONNSS ssuuddoo accepts the following command line options: @@ -123,11 +124,10 @@ OOPPTTIIOONNSS 2. The editor specified by the VISUAL or EDITOR environ- ment variables is run to edit the temporary files. If - neither VISUAL nor EDITOR are set, the program listed -1.7 January 21, 2008 2 +1.7 February 9, 2008 2 @@ -136,6 +136,7 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + neither VISUAL nor EDITOR are set, the program listed in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used. 3. If they have been modified, the temporary files are @@ -178,8 +179,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) to change to that user's home directory before running the shell. It also initializes the environment, leaving _D_I_S_- _P_L_A_Y and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_- - _N_A_M_E, and _P_A_T_H, as well as the contents of _/_e_t_c_/_e_n_v_i_r_o_n_- - _m_e_n_t. All other environment variables are removed. + _N_A_M_E, and _P_A_T_H, as well as the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t + on Linux and AIX systems. All other environment variables + are removed. -K The --KK (sure _k_i_l_l) option is like --kk except that it removes the user's timestamp entirely. Like --kk, this option does @@ -188,12 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's times- tamp by setting the time on it to the Epoch. The next time ssuuddoo is run a password will be required. This option does - not require a password and was added to allow a user to - revoke ssuuddoo permissions from a .logout file. -1.7 January 21, 2008 3 +1.7 February 9, 2008 3 @@ -202,6 +202,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + not require a password and was added to allow a user to + revoke ssuuddoo permissions from a .logout file. + -L The --LL (_l_i_s_t defaults) option will list out the parameters that may be set in a _D_e_f_a_u_l_t_s line along with a short description for each. This option is useful in conjunction @@ -248,18 +251,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) system password prompt on systems that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security con- + text to have the role specified by _r_o_l_e. + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from the standard input instead of the terminal device. - -s [command] - The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L - environment variable if it is set or the shell as specified - in _p_a_s_s_w_d(4). If a command is specified, it is passed to - the shell for execution. Otherwise, an interactive shell - -1.7 January 21, 2008 4 +1.7 February 9, 2008 4 @@ -268,8 +268,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -s [command] + The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L + environment variable if it is set or the shell as specified + in _p_a_s_s_w_d(4). If a command is specified, it is passed to + the shell for execution. Otherwise, an interactive shell is executed. + -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security con- + text to have the type specified by _t_y_p_e. If no type is + specified, the default type is derived from the specified + role. + -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll option to specify the user whose privileges should be listed. Only root or a user with ssuuddoo ALL on the current @@ -312,20 +322,10 @@ RREETTUURRNN VVAALLUUEESS Upon successful execution of a program, the return value from ssuuddoo will simply be the return value of the program that was executed. - Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- - tion/permission problem or if ssuuddoo cannot execute the given command. - In the latter case the error string is printed to stderr. If ssuuddoo can- - not _s_t_a_t(2) one or more entries in the user's PATH an error is printed - on stderr. (If the directory does not exist or if it is not really a - directory, the entry is ignored and no error is printed.) This should - not happen under normal circumstances. The most common reason for - _s_t_a_t(2) to return "permission denied" is if you are running an auto- - mounter and one of the directories in your PATH is on a machine that is - currently unreachable. -1.7 January 21, 2008 5 +1.7 February 9, 2008 5 @@ -334,6 +334,17 @@ RREETTUURRNN VVAALLUUEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- + tion/permission problem or if ssuuddoo cannot execute the given command. + In the latter case the error string is printed to stderr. If ssuuddoo can- + not _s_t_a_t(2) one or more entries in the user's PATH an error is printed + on stderr. (If the directory does not exist or if it is not really a + directory, the entry is ignored and no error is printed.) This should + not happen under normal circumstances. The most common reason for + _s_t_a_t(2) to return "permission denied" is if you are running an auto- + mounter and one of the directories in your PATH is on a machine that is + currently unreachable. + SSEECCUURRIITTYY NNOOTTEESS ssuuddoo tries to be safe when executing external commands. @@ -376,22 +387,11 @@ SSEECCUURRIITTYY NNOOTTEESS allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp directory is located in a directory writable by anyone (e.g., _/_t_m_p), it is possible for a user to create the timestamp directory before ssuuddoo is - run. However, because ssuuddoo checks the ownership and mode of the direc- - tory and its contents, the only damage that can be done is to "hide" - files by putting them in the timestamp dir. This is unlikely to happen - since once the timestamp dir is owned by root and inaccessible by any - other user, the user placing files there would be unable to get them - back out. To get around this issue you can use a directory that is not - world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or cre- - ate _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permissions - (0700) in the system startup files. + run. However, because ssuuddoo checks the ownership and mode of the - ssuuddoo will not honor timestamps set far in the future. Timestamps with - a date greater than current_time + 2 * TIMEOUT will be ignored and sudo - -1.7 January 21, 2008 6 +1.7 February 9, 2008 6 @@ -400,6 +400,17 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + directory and its contents, the only damage that can be done is to + "hide" files by putting them in the timestamp dir. This is unlikely to + happen since once the timestamp dir is owned by root and inaccessible + by any other user, the user placing files there would be unable to get + them back out. To get around this issue you can use a directory that + is not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) + or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permis- + sions (0700) in the system startup files. + + ssuuddoo will not honor timestamps set far in the future. Timestamps with + a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. @@ -444,27 +455,26 @@ EENNVVIIRROONNMMEENNTT USER Set to the target user (root unless the --uu option is specified) - VISUAL Default editor to use in --ee (sudoedit) mode - -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee -EEXXAAMMPPLLEESS - Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. +1.7 February 9, 2008 7 -1.7 January 21, 2008 7 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + VISUAL Default editor to use in --ee (sudoedit) mode -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee oonn LLiinnuuxx aanndd AAIIXX +EEXXAAMMPPLLEESS + Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. To get a file listing of an unreadable directory: @@ -510,27 +520,28 @@ CCAAVVEEAATTSS possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. See the _s_u_d_o_e_r_s(4) manual for details. - It is not meaningful to run the cd command directly via sudo, e.g., - $ sudo cd /usr/local/protected - since when the command exits the parent process (your shell) will still - be the same. Please see the EXAMPLES section for more information. - If users have sudo ALL there is nothing to prevent them from creating - their own program that gives them a root shell regardless of any '!' - elements in the user specification. +1.7 February 9, 2008 8 -1.7 January 21, 2008 8 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + It is not meaningful to run the cd command directly via sudo, e.g., -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo cd /usr/local/protected + since when the command exits the parent process (your shell) will still + be the same. Please see the EXAMPLES section for more information. + + If users have sudo ALL there is nothing to prevent them from creating + their own program that gives them a root shell regardless of any '!' + elements in the user specification. Running shell scripts via ssuuddoo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS @@ -578,17 +589,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - -1.7 January 21, 2008 9 +1.7 February 9, 2008 9 diff --git a/sudo.h b/sudo.h index ba8443646..5b35d2bf9 100644 --- a/sudo.h +++ b/sudo.h @@ -57,6 +57,10 @@ struct sudo_user { int ngroups; GETGROUPS_T *groups; struct list_member *env_vars; +#ifdef HAVE_SELINUX + char *role; + char *type; +#endif char cwd[PATH_MAX]; }; @@ -147,6 +151,8 @@ struct sudo_user { #define login_class (sudo_user.class_name) #define runas_pw (sudo_user._runas_pw) #define runas_gr (sudo_user._runas_gr) +#define user_role (sudo_user.role) +#define user_type (sudo_user.type) /* * We used to use the system definition of PASS_MAX or _PASSWD_LEN, @@ -299,6 +305,9 @@ struct passwd *sudo_fakepwuid __P((uid_t)); struct group *sudo_getgrnam __P((const char *)); struct group *sudo_fakegrnam __P((const char *)); struct group *sudo_getgrgid __P((gid_t)); +#ifdef HAVE_SELINUX +void selinux_exec __P((char *, char *, char **, int)); +#endif YY_DECL; /* Only provide extern declarations outside of sudo.c. */ diff --git a/sudo.man.in b/sudo.man.in index b47528ad7..6da4bce77 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "February 9, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -162,7 +162,8 @@ sudo, sudoedit \- execute a command as another user .PP \&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}] +[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}] .PP \&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -315,8 +316,8 @@ shell is executed. \fBsudo\fR attempts to change to that user's home directory before running the shell. It also initializes the environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting \&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as -the contents of \fI/etc/environment\fR. All other environment variables -are removed. +the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems. +All other environment variables are removed. .IP "\-K" 12 .IX Item "-K" The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes @@ -391,6 +392,10 @@ The prompt specified by the \fB\-p\fR option will override the system password prompt on systems that support \s-1PAM\s0 unless the \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. .RE +.IP "\-r \fIrole\fR" 12 +.IX Item "-r role" +The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +have the role specified by \fIrole\fR. .IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from @@ -401,6 +406,11 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\ environment variable if it is set or the shell as specified in \&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. +.IP "\-t \fItype\fR" 12 +.IX Item "-t type" +The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +have the type specified by \fItype\fR. If no type is specified, the default +type is derived from the specified role. .IP "\-U \fIuser\fR" 12 .IX Item "-U user" The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR @@ -589,9 +599,9 @@ Default editor to use in \fB\-e\fR (sudoedit) mode .ie n .IP "\fI@timedir@\fR\*(C` \*(C'Directory containing timestamps" 4 .el .IP "\fI@timedir@\fR\f(CW\*(C` \*(C'\fRDirectory containing timestamps" 4 .IX Item "@timedir@ Directory containing timestamps" -.ie n .IP "\fI/etc/environment\fR\*(C` \*(C'\fRInitial environment for \fB\-i mode" 4 -.el .IP "\fI/etc/environment\fR\f(CW\*(C` \*(C'\fRInitial environment for \fB\-i\fR mode" 4 -.IX Item "/etc/environment Initial environment for -i mode" +.ie n .IP "\fI/etc/environment\fR\*(C` \*(C'\fRInitial environment for \fB\-i mode on Linux and \s-1AIX\s0" 4 +.el .IP "\fI/etc/environment\fR\f(CW\*(C` \*(C'\fRInitial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0" 4 +.IX Item "/etc/environment Initial environment for -i mode on Linux and AIX" .PD .SH "EXAMPLES" .IX Header "EXAMPLES" diff --git a/sudo.pod b/sudo.pod index d249d87c2..a8f2d8e3f 100644 --- a/sudo.pod +++ b/sudo.pod @@ -35,8 +35,8 @@ S<[B<-u> I|I<#uid>]> [I] B [B<-bEHPS>] S<[B<-a> I]> S<[B<-C> I]> S<[B<-c> I|I<->]> S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-u> I|I<#uid>]> S<[B=I]> [S<{B<-i> | B<-s>] -[}>] +S<[B<-r> I]> S<[B<-t> I]> S<[B<-u> I|I<#uid>]> +S<[B=I]> [S<{B<-i> | B<-s>] [}>] B [B<-S>] S<[B<-a> I]> S<[B<-C> I]> S<[B<-c> I|I<->]> S<[B<-g> I|I<#gid>]> S<[B<-p> I]> @@ -292,6 +292,11 @@ The prompt specified by the B<-p> option will override the system password prompt on systems that support PAM unless the I flag is disabled in I. +=item -r I + +The B<-r> (I) option causes the new (SELinux) security context to +have the role specified by I. + =item -S The B<-S> (I) option causes B to read the password from @@ -304,6 +309,12 @@ environment variable if it is set or the shell as specified in L. If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. +=item -t I + +The B<-t> (I) option causes the new (SELinux) security context to +have the type specified by I. If no type is specified, the default +type is derived from the specified role. + =item -U I The B<-U> (I) option is used in conjunction with the B<-l> diff --git a/sudo_usage.h.in b/sudo_usage.h.in index 70c99ed37..068e652ea 100644 --- a/sudo_usage.h.in +++ b/sudo_usage.h.in @@ -7,7 +7,7 @@ */ #define SUDO_USAGE1 " -h | -K | -k | -L | -V | -v" #define SUDO_USAGE2 " -l [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]" -#define SUDO_USAGE3 " [-bEHPS] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []" -#define SUDO_USAGE4 " -e [-S] @BSDAUTH_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..." +#define SUDO_USAGE3 " [-bEHPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []" +#define SUDO_USAGE4 " -e [-S] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..." #endif /* _SUDO_USAGE_H */ diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 84015a64f..11094fc94 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7 January 21, 2008 1 +1.7 February 9, 2008 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 2 +1.7 February 9, 2008 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 3 +1.7 February 9, 2008 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 4 +1.7 February 9, 2008 4 @@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 5 +1.7 February 9, 2008 5 @@ -391,7 +391,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 6 +1.7 February 9, 2008 6 @@ -457,7 +457,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 7 +1.7 February 9, 2008 7 @@ -478,11 +478,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - Sudo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to - specify the _s_u_d_o_e_r_s search order. Sudo looks for a line beginning with - sudoers: and uses this to determine the search order. Note that ssuuddoo - does not stop searching after the first match and later matches take - precedence over earlier ones. + Unless it is disabled at build time, ssuuddoo consults the Name Service + Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. + Sudo looks for a line beginning with sudoers: and uses this to deter- + mine the search order. Note that ssuuddoo does not stop searching after + the first match and later matches take precedence over earlier ones. The following sources are recognized: @@ -523,7 +523,7 @@ EEXXAAMMPPLLEESS -1.7 January 21, 2008 8 +1.7 February 9, 2008 8 @@ -589,7 +589,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 9 +1.7 February 9, 2008 9 @@ -655,7 +655,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 21, 2008 10 +1.7 February 9, 2008 10 @@ -721,7 +721,7 @@ SSEEEE AALLSSOO -1.7 January 21, 2008 11 +1.7 February 9, 2008 11 @@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 21, 2008 12 +1.7 February 9, 2008 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 2a40c0d10..d42da1fee 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -146,7 +146,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "February 9, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" @@ -540,11 +540,12 @@ with the remote server. See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. .Sh "Configuring nsswitch.conf" .IX Subsection "Configuring nsswitch.conf" -Sudo consults the Name Service Switch file, \fI@nsswitch_conf@\fR, -to specify the \fIsudoers\fR search order. Sudo looks for a line -beginning with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search -order. Note that \fBsudo\fR does not stop searching after the first -match and later matches take precedence over earlier ones. +Unless it is disabled at build time, \fBsudo\fR consults the Name +Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR +search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers:\*(C'\fR and +uses this to determine the search order. Note that \fBsudo\fR does +not stop searching after the first match and later matches take +precedence over earlier ones. .PP The following sources are recognized: .PP diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index 496d850dc..9ca47be16 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -455,11 +455,12 @@ See the C entry in the L section. =head2 Configuring nsswitch.conf -Sudo consults the Name Service Switch file, F<@nsswitch_conf@>, -to specify the I search order. Sudo looks for a line -beginning with C and uses this to determine the search -order. Note that B does not stop searching after the first -match and later matches take precedence over earlier ones. +Unless it is disabled at build time, B consults the Name +Service Switch file, F<@nsswitch_conf@>, to specify the I +search order. Sudo looks for a line beginning with C and +uses this to determine the search order. Note that B does +not stop searching after the first match and later matches take +precedence over earlier ones. The following sources are recognized: diff --git a/testsudoers.c b/testsudoers.c index 4f81c1e13..e9a0d908c 100644 --- a/testsudoers.c +++ b/testsudoers.c @@ -519,6 +519,12 @@ print_privilege(priv) } fputs(") ", stdout); } +#ifdef HAVE_SELINUX + if (cs->role) + printf("ROLE=%s ", cs->role); + if (cs->type) + printf("TYPE=%s ", cs->type); +#endif /* HAVE_SELINUX */ if (cs->tags.nopasswd != UNSPEC && cs->tags.nopasswd != tags.nopasswd) printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : ""); if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec) diff --git a/toke.c b/toke.c index cf0824968..88d3ec9a6 100644 --- a/toke.c +++ b/toke.c @@ -1997,17 +1997,27 @@ YY_RULE_SETUP if (strcmp(yytext, "ALL") == 0) { LEXTRACE("ALL "); return(ALL); - } else { - if (!fill(yytext, yyleng)) - yyterminate(); - LEXTRACE("ALIAS "); - return(ALIAS); } +#ifdef HAVE_SELINUX + /* XXX - restrict type/role to initial state */ + if (strcmp(yytext, "TYPE") == 0) { + LEXTRACE("TYPE "); + return(TYPE); + } + if (strcmp(yytext, "ROLE") == 0) { + LEXTRACE("ROLE "); + return(ROLE); + } +#endif /* HAVE_SELINUX */ + if (!fill(yytext, yyleng)) + yyterminate(); + LEXTRACE("ALIAS "); + return(ALIAS); } YY_BREAK case 32: YY_RULE_SETUP -#line 375 "toke.l" +#line 385 "toke.l" { /* no command args allowed for Defaults!/path */ if (!fill_cmnd(yytext, yyleng)) @@ -2018,7 +2028,7 @@ YY_RULE_SETUP YY_BREAK case 33: YY_RULE_SETUP -#line 383 "toke.l" +#line 393 "toke.l" { BEGIN GOTCMND; LEXTRACE("COMMAND "); @@ -2028,7 +2038,7 @@ YY_RULE_SETUP YY_BREAK case 34: YY_RULE_SETUP -#line 390 "toke.l" +#line 400 "toke.l" { /* directories can't have args... */ if (yytext[yyleng - 1] == '/') { @@ -2046,7 +2056,7 @@ YY_RULE_SETUP YY_BREAK case 35: YY_RULE_SETUP -#line 405 "toke.l" +#line 415 "toke.l" { /* a word */ if (!fill(yytext, yyleng)) @@ -2057,7 +2067,7 @@ YY_RULE_SETUP YY_BREAK case 36: YY_RULE_SETUP -#line 413 "toke.l" +#line 423 "toke.l" { LEXTRACE("( "); return ('('); @@ -2065,7 +2075,7 @@ YY_RULE_SETUP YY_BREAK case 37: YY_RULE_SETUP -#line 418 "toke.l" +#line 428 "toke.l" { LEXTRACE(") "); return(')'); @@ -2073,7 +2083,7 @@ YY_RULE_SETUP YY_BREAK case 38: YY_RULE_SETUP -#line 423 "toke.l" +#line 433 "toke.l" { LEXTRACE(", "); return(','); @@ -2081,7 +2091,7 @@ YY_RULE_SETUP YY_BREAK case 39: YY_RULE_SETUP -#line 428 "toke.l" +#line 438 "toke.l" { LEXTRACE("= "); return('='); @@ -2089,7 +2099,7 @@ YY_RULE_SETUP YY_BREAK case 40: YY_RULE_SETUP -#line 433 "toke.l" +#line 443 "toke.l" { LEXTRACE(": "); return(':'); @@ -2097,7 +2107,7 @@ YY_RULE_SETUP YY_BREAK case 41: YY_RULE_SETUP -#line 438 "toke.l" +#line 448 "toke.l" { if (yyleng % 2 == 1) return('!'); /* return '!' */ @@ -2105,7 +2115,7 @@ YY_RULE_SETUP YY_BREAK case 42: YY_RULE_SETUP -#line 443 "toke.l" +#line 453 "toke.l" { BEGIN INITIAL; ++sudolineno; @@ -2115,14 +2125,14 @@ YY_RULE_SETUP YY_BREAK case 43: YY_RULE_SETUP -#line 450 "toke.l" +#line 460 "toke.l" { /* throw away space/tabs */ sawspace = TRUE; /* but remember for fill_args */ } YY_BREAK case 44: YY_RULE_SETUP -#line 454 "toke.l" +#line 464 "toke.l" { sawspace = TRUE; /* remember for fill_args */ ++sudolineno; @@ -2131,7 +2141,7 @@ YY_RULE_SETUP YY_BREAK case 45: YY_RULE_SETUP -#line 460 "toke.l" +#line 470 "toke.l" { BEGIN INITIAL; ++sudolineno; @@ -2141,7 +2151,7 @@ YY_RULE_SETUP YY_BREAK case 46: YY_RULE_SETUP -#line 467 "toke.l" +#line 477 "toke.l" { LEXTRACE("ERROR "); return(ERROR); @@ -2153,7 +2163,7 @@ case YY_STATE_EOF(GOTCMND): case YY_STATE_EOF(STARTDEFS): case YY_STATE_EOF(INDEFS): case YY_STATE_EOF(INSTR): -#line 472 "toke.l" +#line 482 "toke.l" { if (YY_START != INITIAL) { BEGIN INITIAL; @@ -2166,10 +2176,10 @@ case YY_STATE_EOF(INSTR): YY_BREAK case 47: YY_RULE_SETUP -#line 482 "toke.l" +#line 492 "toke.l" ECHO; YY_BREAK -#line 2173 "lex.yy.c" +#line 2183 "lex.yy.c" case YY_END_OF_BUFFER: { @@ -3058,7 +3068,7 @@ int main() return 0; } #endif -#line 482 "toke.l" +#line 492 "toke.l" static int _fill(src, len, olen) diff --git a/toke.l b/toke.l index a36c6a65e..5ec32da9b 100644 --- a/toke.l +++ b/toke.l @@ -364,12 +364,22 @@ NOSETENV[[:blank:]]*: { if (strcmp(yytext, "ALL") == 0) { LEXTRACE("ALL "); return(ALL); - } else { - if (!fill(yytext, yyleng)) - yyterminate(); - LEXTRACE("ALIAS "); - return(ALIAS); } +#ifdef HAVE_SELINUX + /* XXX - restrict type/role to initial state */ + if (strcmp(yytext, "TYPE") == 0) { + LEXTRACE("TYPE "); + return(TYPE); + } + if (strcmp(yytext, "ROLE") == 0) { + LEXTRACE("ROLE "); + return(ROLE); + } +#endif /* HAVE_SELINUX */ + if (!fill(yytext, yyleng)) + yyterminate(); + LEXTRACE("ALIAS "); + return(ALIAS); } ({PATH}|sudoedit) {